Good day, everyone! )
I heard at Cisco Live and lately red in CCDP Cert guide that
| A major benefit associated with IPSec VTIs is that the configuration does not require a static mapping of IPSec sessions to a physical interface |
Hm, but from my point if we configure tunnel interface and specified source physical interfase for it and tunnel protection ipsec profile , that means that our IPSec session is binded to source physical interface (btw am I right here?). So to deatach IPSec session from physical interface we need to use loopbacks as VTI tunnel source and destination. I tried to configure it but unsuccessfully - tunnel interface protocol state dont come up. I checked liks with wireshark and discvered that packets are not event being tried to sent with VTI configuration, i changed mode from VTI to GRE and noticed that packets are sent by both ends but nodes transmits unencrypted packets but wait for IPSec encryted packets -
Mar 1 23:16:33.578: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /1.1.1.1, src_addr= 3.3.3.3, prot= 47
As i understand the problem is in that tunnel interface state are tied up to the underlying crypto sa but sa cannot be established due some problems in configuration. And when I remove tunnel protection ipsec profile TP command from tunnel configuration (in GRE case ofc) everething come up and work.
My config for IPSec on R1 (1.1.1.1):
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 3.3.3.3
crypto isakmp profile VPN
keyring default
match identity address 3.3.3.3 255.255.255.255
local-address Loopback0
crypto ipsec transform-set TSET ah-sha-hmac
crypto ipsec profile TP
set transform-set TSET
set isakmp-profile VPN |
Config for tunnel interface:
interface Tunnel1
ip address 172.16.0.1 255.255.255.0
ip ospf 1 area 1
keepalive 10 3
tunnel source Loopback0
tunnel destination 3.3.3.3
tunnel mode ipsec ipv4
tunnel protection ipsec profile TP
end |
So how to fix it and make work with tunnel protection?
